User Profile
Yashrajsp10
Copper Contributor
Joined 4 years ago
User Widgets
Recent Discussions
Activity from a Password spray associated IPv6 address
Hi, I have a Microsoft 365 Defender alert for "Activity from a password-spray associated IP address". The address in question is "::1" which is a loopback address for Ipv6. The activity was related to Microsoft exchange online. I wanted to know why and how was a loopback address associated with this activity? What could have caused this issue and raised the alert !VMs Deletion
Hi Techies, Our SOC team got an alert where 25 VMs were deleted in a single session. The investigation logs in 365 Defender show that the VMs were successfully deleted the same was confirmed with the user who deleted those VMs. But I still see those VMs as resources in the subscription. They are still there. What could be the reason? Probably that it was not deleted properly. Please help. Thanks 🙂Solved981Views0likes1CommentAzure Firewall Logs
Hi, I was checking some firewalls logs by running the below query CommonSecurityLog | where DeviceProduct == "firewall1" or DeviceProduct == "firewall2" | project TimeGenerated, DeviceName, SourceIP, DestinationIP, DestinationPort, Protocol, DeviceAction, Activity | sort by TimeGenerated desc | where DestinationIP contains "a.b.c.d" I do get the results after this. But I do not understand the result in the "DeviceAction" column Result is: TimeGenerated [UTC] 2022-11-05T15:12:23.003Z DeviceName f03xxxxxxxxxx SourceIP 172.x.x.x DestinationIP 103.x.x.x DestinationPort 80 Protocol tcp DeviceAction reset-both Activity THREAT What does reset-both mean?Solved2.1KViews0likes2Comments
Recent Blog Articles
No content to show